After such noteworthy breaches, the typical response has been to immediately attribute the activity in order to expose the adversary. Indeed, after the 2014 Sony hack, North Korea was immediately singled out as the perpetrator, and in late 2014, the Director of National Intelligence quickly attributed the Sands Casino hack to Iran. There seems to be greater emphasis on assigning blame as to “whom” was responsible for the breach, rather than on “why” it was allowed to happen and “how” that could be prevented in the future.

The OPM hack bears considerable scrutiny due to the fact that it occurred at a time when significant attention has been focused the need to vastly improve the United States’ cybersecurity posture. Since 2008 when the Bush Administration established the Comprehensive National Cybersecurity Initiative (the CNCI) by a classified joint presidential directive, the U.S. has been cognizant of the threat posed by hostile actors, particularly those sponsored or directed by nation states. The Director of National Intelligence has listed cyber as an intelligence community priority in the past four Worldwide Threat Assessments, further indicating the importance placed on this domain.

Tuesday, June 16, 2015

In June 2015, we published Fidelis Threat Advisory #1017 and a blog post on unrelated hostile cyber criminal activity based on the exploitation of CVE-2014-4114, using a novel technique leading to zero antivirus detections for this well-known vulnerability. What originally drew our attention was the fact that cyber criminals were now leveraging the vulnerability that was initially exploited by advanced persistent threat (APT) actors in October 2014.

Yesterday (June 15, 2015), CitizenLab published a report revealing that hostile actors were using precisely the same technique involving CVE-2014-4114 against Tibetan and pro-democracy Hong Kong groups. While no explicit attribution was made in the report, preliminary analysis suggests that actors working in the interest of a government may be behind this activity. Suspected Chinese government-affiliated cyber espionage actors have historically conducted cyber operations against these groups to monitor their developments.

During our research, we noticed that several files had the same original creation date (2011) and author (“aaa”) in the PowerPoint metadata. We traced this file to the original document: a PowerPoint document written in Chinese about China Cloud Computing Technology, entitled “Big Data as a Means of Ensuring Internet Security for the Military”(approximate translation). While the contents of that document had been removed, it is clear that someone had built and distributed phishing messages using it as the original PowerPoint document. The document is publicly available, but obscure enough for this to be a very interesting finding.

Thursday, June 04, 2015

Note: Much of this information has been taken from an English translation of Qihoo 360’s SkyEye Labs report, and has been interpreted accordingly. The original report in Chinese can be foundhere.

In May 2015, the Chinese Internet company Qihoo 360’s SkyEye Labs accused an advanced persistent threat (APT) hacker group named “OceanLotus” of stealing Chinese government information. Specifically, the company claimed the activity was in direct employ of a hostile foreign government.

According to the English-translation of the report, the activity has been targeting China since April 2012, targeting maritime institutions, shipping enterprises, Chinese government departments, and research institutes, and stealing sensitive information. Two primary tactics have been identified: socially engineered e-mails with attractive lures designed to entice recipients to click on attachments with embedded Trojans, and what is best described as watering hole attacks. More than 100 OceanLotus Trojan program samples of four different types of Trojans had been planted in computers in 29 Chinese provincial regions, and 36 countries, according to SkyEye Labs.

The activity started in April 2012 employing the “watering hole” technique, but then stopped for a period of two years. It commenced again in February 2014 in the form of spearphishing. Despite the fact that this activity targeted other countries, 92% of the victims were located in China, with Beijing suffering the lion’s share of attacks.

Wednesday, May 27, 2015

As cybersecurity has become a dominant global national security issue, we have moved quickly with both the US government and Eastern European partners to provide innovative tools and resources to grow national capabilities to counter cyber threats. This month the US Cyber Trade Mission to Eastern Europe showcased one of those critical capabilities, the Romanian Cyber Innovation Center (CIC). We, along with the US Department of Commerce, are working with the Romanian National Computer Emergency Response Team (CERT-RO) to stand up this center, and wanted to share some insights since it’s important that we work together across governments and industry, and across country lines, to protect ourselves against advanced threats.

The CIC

What is a cyber innovation center? Along with the Romanian Ministry of Information, we envisioned a flexible facility equipped to provide cyber training, assess new technologies, and, most importantly, stimulate the development of new approaches and solutions to combat tough cyber issues. While the focus was on enhancing cybersecurity for both Romanian government organizations and industry, there was a strong desire to create a capability that was open to other Eastern European partners as well.

Friday, May 22, 2015

Thousands of HTTPS websites, mail servers and other services reliant on the Diffie-Hellman key exchange algorithm could be vulnerable to a security flaw known as Logjam. Cryptographic weaknesses with the algorithm allow for man-in-the-middle cyberattacks as well as the degradation of TSL and encrypted communications.

CareFirst BlueCross BlueShield was the victim of a data breach that compromised the information of 1.1 million current and former customers. The breach occurred in June 2014. The database breached by the attackers included usernames, names, birth dates, e-mail addresses and subscriber identification numbers but did not include Social Security numbers, medical claims, employment, credit card or financial information.

Threat actors are using stolen credentials at an oil company to obtain proof of product documentation forms that can be used to get up to $100,000 in advance of an alleged exchange. The threat actors are obtaining the credentials through a phishing campaign that includes a PDF loaded with a self extractor file. Ten impacted companies have been found from the oil and gas maritime transportation sector located in Spain, Germany, U.K., Italy, Belgium, China and Singapore.

A new report found that retailers take 197 days on average to identify that they have been hit with an advanced threat and once identified, it took 39 days to contain it. Financial services organizations took 98 and 26 days respectively. Respondents to the survey did not have high confidence in their ability to detect and contain threats with only 58 percent of financial services organizations saying technology and personnel were effective detecting advanced threats.

A new vulnerability located in a service called NetUSB, which allows devices connected over USB to a computer be shared with other machines on the local network could impact millions of routers. NetUSB is implemented in Linux-based embedded systems as a kernel driver. If a connecting computer has a name longer than 64 characters it triggers a stack buffer overflow in the NetUSB service which can result in a remote code execution or denial of service.

Wednesday, May 06, 2015

Two weeks ago, Arbor Networks released details on a malware campaign called Bedep. It is a good write-up but the most interesting data point in this is how malware authors are changing the way they create domain generation algorithms (DGAs) to make life more difficult for security researchers.

The use of DGAs in malware is a double-edged sword for malware operators. On the one hand, it gives them a great deal of resiliency against takedowns and blocklists. On the other, researchers can crack the DGA and predict the malware’s future domains for use in sinkholing, takedowns or predictive blocklists.

Most malware use date-based generation, some use static seeds in the malware and many use a combination of both. Tinybanker/Tinba, for instance, uses only a domain name seed to generate the domains but the seed changes frequently, making it difficult for researchers to keep up.

That being said, it appears some DGA operators have taken steps to help mitigate the risks of using predictable domains for their C2s. For instance, the Pushdo DGA written about in a recent Fidelis Threat Advisory uses the .kz top-level domain (TLD) for its domains. This creates two problems: the waiting period to use the domain and the lack of WHOIS privacy protection.

Friday, May 01, 2015

There are speculations about the risk for a catastrophic attack on Western critical infrastructure, specifically in the energy industry, that companies are unprepared for. It is reported that Iran-backed operatives have gained access to information that could enable successful attacks on SCADA systems in the future. Historically, these systems have been protected by being cut off from the internet, but a potential for remote access still exists. For now, whitelisting, lockdowns, memory and content scanning, updated technology and personnel training is recommended.

A web-crawling bot discovered Twitter’s financials buried in its investor relations page, allowing the earnings statement to be published online 45 minutes ahead of schedule, causing an 18% drop in shares. Financial-intelligence firm Selerity has come forward as the source that published the information before NASDAQ’s closing bell but claims they did not hack anybody. This is the same company who released Microsoft’s earnings early in 2011 and ADP Research Institute’s in 2014.

Massachusetts’ largest health care system, Partners HealthCare, has suffered a major data breach that includes patient information. So far, it’s been reported that a group of employees from different facilities within the system received phishing emails and provided information in response to the legitimate-seeming emails. Partners HealthCare has confirmed it is notifying 3,300 patients about the incident and encouraging those affected to review the benefits statement they receive from their insurer for accuracy.

Researchers discovered an attack campaign that used the Bedep Trojan to artificially generate traffic to videos with pro-Russia propaganda content on Dailymotion.com. The malware automatically, and without visibility to the user, loaded movies on infected machines to spike view counts, causing at least one to be featured on the front page.

A surge in Spam messages targeting mainly US-based banks and financial institutions has been reported. Attackers are sending phishing emails claiming to be an electric fund transfer company and containing a BARTALEX malware-laden document that, if enabled, will drop Dyre banking malware. This particular attack involved more than 1,000 malicious Dropbox links, though all link-sharing abilities have since been shut down at these locations.

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSysand don’t forget to share articles you think should be in next week’s Scoop using#CyberScoop!

Friday, April 24, 2015

The APT group known as CozyDuke is suspected to be behind the attack on the White House and State Department. Researchers also believe CozyDuke was behind attacks on other government organizations and commercial entities in the U.S., Germany, South Korea and Uzbekistan. In the more recent campaigns, CozyDuke is using the standard Windows API and phasing out custom features from prior campaigns to simplify the process.

An Adobe Flash Player zero-day exploit was embedded in online ads for close to two months in an attack that targeted US users with a ransomware payload. The vulnerability was patched on February 2, bringing an end to the campaign but attacks using the exploit were found as early as December 2014 and targeted the websites of Dailymotion, Huffington Post, answers.com, and New York Daily News among others.

A flaw found in iOS 8 allows attackers to render devices useless if they’re within range of a fake wireless hotspot. The vulnerability exploits a flaw in how iOS 8 handles SSL certificates and allowed researchers to get apps running on devices using iOS 8 to crash or place the device in a constant reboot cycle. Users should update to the latest version of iOS and avoid using suspicious free networks.

Researchers have discovered an exploit that enables cybercriminals to track keystrokes and mouse clicks in a web browser. The exploit is effective against machines using late-model Intel CPU, such as a Core i7, and a browser that supports HTML5. The attack is performed by Java Script served from a malicious web ad network.

Researchers have found that the operators behind banking botnets are expanding and going after smaller banks and targeting other areas such as corporate accounting and payroll systems following the takedown of high profile botnets like Gameover Zeus.

Friday, April 17, 2015

Security researchers have identified a new strain of POS malware during an investigation led by the US Secret Service. The malware, called Punkey, hides inside the explorer.exe process on Windows POS systems and once activated, scans the memory of other running programs for card holder data before uploading the data to a command and control server.

A vulnerability found in the late 1990s in Microsoft Windows can still be used to steal login credentials. The flaw affects any PC, tablet or server running Windows and could compromise as many as 31 software programs. The vulnerability is called “redirect to SMB” and can be exploited if an attacker can intercept communications with a web server using a man-in-the-middle attack.

Recent POS malware attacks targeting more than 100 terminals in Brazil are believed to be the handiwork of a single person who managed to steal more than 22,000 unique credit cards numbers in a little over a month. In addition to collecting credit card track 1, track 2 and CVV codes, the malware called FighterPOS also features RAM scrapping functionality and allowed threat actors to launch DDoS attacks.

A flaw in the kernel of Darwin, the open source components on which iOS and OS X are built that allowed attackers to remotely activate denial-of-service attacks has been patched by Apple. The flaw known as “Darwin Nuke” could also damage a user’s Mac or iOS device and impact any corporate network to which it’s connected. Users should update to the new OS X Yosemite v10.10.3 and iOS 8.3 to receive the patch.

A tool dubbed the “Great Cannon” has been used by the Chinese government to launch a massive denial-of-service attack against two anti-censorship GitHub pages. The tool could also be used to install malware on end users. The junk traffic came from computers of people who browsed websites containing analytics software from the Chinese search engine Baidu. One to two percent of the visits from people outside China had malicious code inserted into their traffic that caused the two targeted GitHub pages to repeatedly load.